Bug 1902012
Summary: | CVE-2020-27818 pngcheck: global buffer overflow was discovered in check_chunk_name function via crafted pngfile [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marian Rehak <mrehak> |
Component: | pngcheck | Assignee: | Ben Beasley <code> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 33 | CC: | code, dmoppert |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pngcheck-2.4.0-2.fc34 pngcheck-2.3.0-4.fc33 pngcheck-2.3.0-4.fc32 pngcheck-2.4.0-2.el8 pngcheck-2.4.0-2.el7 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-02 13:29:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1902011 |
Description
Marian Rehak
2020-11-26 15:16:54 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=low # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1902011,1902012 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new Okay, I have a few questions here. I created a patch to fix the original issue (https://bugzilla.redhat.com/show_bug.cgi?id=1897485) and pushed updates to all Fedora versions the same day the issue was reported. These updates referenced the original bug: https://bodhi.fedoraproject.org/updates/FEDORA-2020-4349e95c4f https://bodhi.fedoraproject.org/updates/FEDORA-2020-23432b7b72 https://bodhi.fedoraproject.org/updates/FEDORA-2020-27b168926a Am I expected to create a new update that changes nothing, but references these two tracking bugs that were created a week after the original updates reached stable? Additionally, the instructions in this bug instruct me to mention one or more CVE IDs. Is there even a CVE for this issue? If so, how would I know about it? Thanks for your guidance. Hello, I create the flaws and trackers, the specific process for trackers is outside of my scope, @dmoppert would you please provide some guidance here? There already is a CVE and it automatically propagates into this tracker as well. (In reply to code from comment #2) > Okay, I have a few questions here. > > I created a patch to fix the original issue > (https://bugzilla.redhat.com/show_bug.cgi?id=1897485) and pushed updates to > all Fedora versions the same day the issue was reported. These updates > referenced the original bug: > > https://bodhi.fedoraproject.org/updates/FEDORA-2020-4349e95c4f > https://bodhi.fedoraproject.org/updates/FEDORA-2020-23432b7b72 > https://bodhi.fedoraproject.org/updates/FEDORA-2020-27b168926a > > Am I expected to create a new update that changes nothing, but references > these two tracking bugs that were created a week after the original updates > reached stable? > > Additionally, the instructions in this bug instruct me to mention one or > more CVE IDs. Is there even a CVE for this issue? If so, how would I know > about it? > > Thanks for your guidance. Thank you working on the updated. This issue has been assigned CVE-2020-27818. The trackers are usually created to allow package maintainers to create updates since not all pkg maintainers follow security flaws. Also it is good to include them in the bodhi update, so that we know what pkgs fixes what. However since you have already created an update and it has reached stable, feel free to close this tracker as CLOSED:ERRATA. Hope this answers your questions? Thanks, that is very helpful. The patch is released upstream in version 3.0.0. |